The web site password authentication process is chock full of security flaws. And wherever there are security flaws, there are scads of both real- and wannabe-hackers trying to exploit them.

One of those flaws is the ability of a user to enter an infinite combination of usernames and passwords without ever being locked out by the web site. As it was relevant to "PassBandit", this flaw allowed him to run a software application that automatically tries usernames and passwords, from a supplied list, then reads whether the combination was successful by the electronic reply received from the web site. The program simultaneously tried 70 different combinations, which gave a rate of attempts in the several-hundred-per-second range. If a particular combination didn't work, the application simply tried another combination. And another. And another, until it found a combination that worked.

Of course, there are some sites -- not very many -- that I couldn't get into. And, some sites were harder than others. However, every site that I did get into had one thing in common: at least one user that made a stupid (make that "ill-informed") choice of a username and password.

Once a username and password have been compromised, and when (not if) it is eventually discovered, most sites will instantly close the account. This eliminates the fraudulent use of that password, but also screws the poor fool who actually paid for access to the site.

Here are some tips to ensure that your account is not the weak account that the other "PassBandit"s of the world compromise:

» The password is more important than the username. Do not assume that because you have an unusual username (including email addresses) that you can choose a simple password. I'd say that at about 2-3% of the webservers I checked, I could obtain that site's entire list of users and their passwords. The passwords are encrypted, but the usernames are not. So, if you chose an easy password, such as "password" or "asdf", I'd have your username/password combination in amazingly short order.

» Make your reminder question tough and unique. If the site offers a "secret question"-type access to your password (in case you lose it), make it something unique, such as "What is my nickname at work?". Believe it or not, a person actually had "QuestionQuestion" as his reminder question. Guess what the correct reply to his reminder question is? If you guessed "AnswerAnswer", congratulations -- the web site will now hand over the poor schmuck's password. True story!

» Do not use your username as the password. Many sites will not allow this, but many still do. Similarly, do not use a password that "fits" with the username. The may be cute, clever, and easy to remember, but username:password combinations such as intel:inside, moody:blues, hewlett:packard, or foghorn:leghorn will be compromised very quickly.

» Make your password at least 6 characters long. Every username and password combination is crackable with enough time and patience. Every additional character you add to your password increases the likelihood that the cracker will run out of time or patience before guessing your password. I could try every combination of letters, one to five characters in length, in an hour or two.

» Use a mix of upper- and lowercase letters, and numbers -- and, if allowed, include symbols, i.e., "Hammer*shreW" or "booKbuicK-720". The more variety your password contains, the less likely that it will be guessed.

» Do not use a single word as your entire password. At several hundred guesses per second, I could (and often did) go through entire unabridged dictionary files, many megabytes in size, and in several languages in no time. Combine two unrelated words, such as bookbuick or hammershrew.

» Change your password frequently if the site gives you that option. Many, many compromised usernames and passwords go undetected for a long time. Change your password at least every few months. Change them more frequently at sites with your credit card or personal info, financial sites, or web-based email accounts. [Note: There is a widely-held belief that certain very HOT eMAIL sites are "unhackable". Trust me, I know this to be false for an absolute fact.]

and, finally,

» Do not use the same username/password combination at multiple sites. Every successful username/password combination a cracker finds is put into a separate "1st run list". This attack list is the first list of combinations that is used against any site. Why? Because people do not want to write down, or try to remember, different password combinations for different sites. This is a very dangerous (yet very common) practice, because once a cracker has that one combination, he or she not only has access to that one site, but has guaranteed access to every site at which you are a member.

I've grown out of "PassBandit", and it no longer holds a thrill for me. Instead, I've hopped the fence and teach loss prevention topics. But there are thousands of "PassBandit"s out there looking to get your into your website stash. Don't make it easy for them.

=============About the Author=====================

Mike Delaney is a shoplifting prevention trainer with over 20 years experience as a shoplifter, and almost 10 years of experience in stopping them.

Mike is the author of "How to Beat Shoplifters and Increase Profits" available at Bison Creek Desktop Publishing http://www.zianet.com/bisoncreek 

Contact Mike at mailto:DelaneyBookReview@yahoo.com (DelaneyBookReview[at]yahoo[dot]com)